Add stop gap image registry redirection for OCP Hosted Control Planes

Piotr Godowski · Piotr Godowski · commit cf8bdf86c308 · 2025-06-18T15:17:08.000+02:00
Signed-off-by: Author Name &lt;authoremail@example.com&gt;
diff --git a/scripts/image-redirection-tools/hcp/README.md b/scripts/image-redirection-tools/hcp/README.md
@@ -0,0 +1,34 @@
+# Overview
+
+On [OpenShift Hosted Control Planes](https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/hosted_control_planes/hosted-control-planes-overview), there is no first class support for image registry redirection, which is on OpenShift deployments provided via [`ImageContentSourcePolicy`](https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/images/image-configuration#images-configuration-blocked-payload) or [`ImageDigestMirrorSet`](https://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/config_apis/imagedigestmirrorset-config-openshift-io-v1)
+
+There if RFE to provide support for image registry redirection https://issues.redhat.com/browse/XCMSTRAT-994 , yet this document provides stop-gap solution on Hosted Control Planes, before the first class support is provided.
+
+The procedure consists of two steps:
+- creating an image pull secret for the registry mirror to use
+- create a (privileged) `DaemonSet` which updates the worker node's container runtime configuration file, `/var/lib/kubelet/config.json`
+
+## Step 1 - create a secret for the additional config.json.
+
+The config.json can be created by `podman login --authfile`:
+
+```sh
+podman login -u [user]] -p [password] --authfile=/path/to/your/additional/config.json  [registry]
+```
+
+Create the image pull secret `docker-auth-secret` in `kube-system` namespace:
+
+```sh
+oc create secret generic docker-auth-secret \
+--namespace kube-system \
+--from-file=.dockerconfigjson=/path/to/your/additional/config.json \
+--type=kubernetes.io/dockerconfigjson --dry-run=client -o yaml | oc apply -f 
+```
+
+## Step 2 - create a DaemonSet updating container runtime configuration
+
+The DeamonSet init container updates the container runtime configuration on each of the worker node and then sleeps indefinitely.
+
+```sh
+oc apply -f update-docker-config-ds.yaml
+```
diff --git a/scripts/image-redirection-tools/hcp/update-docker-config-ds.yaml b/scripts/image-redirection-tools/hcp/update-docker-config-ds.yaml
@@ -0,0 +1,68 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+   name: update-docker-config
+   namespace: kube-system
+   labels:
+     app: update-docker-config
+spec:
+   selector:
+     matchLabels:
+       name: update-docker-config
+   template:
+     metadata:
+       labels:
+         name: update-docker-config
+     spec:
+       initContainers:
+         - command: ["/bin/sh", "-c"]
+           args:
+             - >
+               echo "Backing up or restoring config.json";
+               [[ -s /docker-config/config.json ]] && cp /docker-config/config.json /docker-config/config.json.bak || cp /docker-config/config.json.bak /docker-config/config.json;
+               echo "Merging secret with config.json";
+               /host/usr/bin/jq -s '.[0] * .[1]' /docker-config/config.json /auth/.dockerconfigjson > /docker-config/config.tmp;
+               mv /docker-config/config.tmp /docker-config/config.json;
+               systemctl reload crio
+           image: registry.access.redhat.com/ubi9:latest
+           imagePullPolicy: IfNotPresent
+           name: updater
+           resources: {}
+           securityContext:
+             privileged: true
+           volumeMounts:
+             - name: docker-auth-secret
+               mountPath: /auth
+             - name: docker
+               mountPath: /docker-config
+             - name: bin
+               mountPath: /host/usr/bin
+             - name: lib64
+               mountPath: /lib64
+       containers:
+         - resources:
+             requests:
+                 cpu: "0.01"
+           image: registry.access.redhat.com/ubi9:latest
+           name: sleepforever
+           command: ["/bin/sh", "-c"]
+           args:
+             - >
+               while true; do
+                 sleep 100000;
+               done
+       hostPID: true
+       volumes:
+        - name: docker-auth-secret
+          secret:
+            secretName: docker-auth-secret
+        - name: docker
+          hostPath:
+            path: /var/lib/kubelet/
+        - name: bin
+          hostPath:
+            path: /usr/bin
+        - name: lib64
+          hostPath:
+            path: /lib64
+            hostPathType: Directory
